Privacy Policy

Last updated: June 10, 2026

whtvrwrks ("we", "us") is an AI-assisted to-do list at whtvrwrks.com. Your timeline is personal by nature, so this policy is written to be read: what we collect, what we do with it, and the controls you have. The short version — we collect only what the product needs to work, we don't sell or share your data for advertising, and you can export or delete everything yourself.

What we collect

Account information

Your email address, a display name, and a password. Passwords are stored only as salted hashes, never in plain text. When you sign up we email you a verification code; verifying confirms you control the address.

Your timeline content

Everything you put on your timeline: tasks, events, notes, tags, details/checklists, locations, recurrence rules, completion records, and appearance preferences. If you log measurements, those values are stored too — including body metrics such as weight or sleep if you choose to track them. Measurements you log about yourself are sensitive data; we treat all timeline content with the same protections and never use it for anything beyond providing the service to you.

Location data

Tasks can carry a place — freeform text, a point you pick on the map, or an entry from your saved-locations list (e.g. Home, Office). These coordinates are stored with your timeline data. If you turn on weather chips, the location you set for weather is kept in your browser, and its coordinates are sent to our weather provider to fetch forecasts. Place-name searches in the map picker are forwarded to a geocoding service to resolve them (see "Service providers" below). We never track your device's location in the background; using your browser's location is always an explicit action you take.

Assistant conversations

Your chat sessions with the assistant, including the messages you send, the assistant's replies, and the persona and memory notes you (or the assistant, for memory) maintain on the Context page.

Google Calendar (optional)

If you connect Google Calendar, we read your calendar events (read-only) and import them into your timeline. We access only the data needed for this feature, we don't transfer it to anyone else, and we never use it for advertising. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. You can disconnect at any time from the app.

Billing and usage

Your credit balance and a ledger of usage: for each assistant message, the model used, token counts, and the amount debited. We also record aggregate usage statistics to understand service costs.

Waiting list

If you join the waiting list we store your email address, protected by an anti-bot check. We send one email — your invite — and delete your address once it's sent. Every waitlist email includes a removal link if you change your mind before then.

Technical data

The service runs on Cloudflare's network, which processes standard request metadata (IP address, user agent) to serve and secure the site. Sign-up and waitlist forms use Cloudflare Turnstile to deter bots.

How we use your data

To provide the service: storing and displaying your timeline, answering your messages, syncing your calendar if connected, sending transactional email (verification codes, password resets, invites), metering usage against your credit balance, and keeping the service secure. That's the list. We don't sell your data, share it with advertisers, or build profiles for any purpose other than the features you use.

AI processing

whtvrwrks is an AI product. When you chat with the assistant, your message — together with relevant context such as your timeline snapshot, persona, and memory notes — is processed by a large language model running on Cloudflare Workers AI to generate the reply. Your data is not used to train AI models. The assistant can act on your timeline (create, edit, complete tasks) only within your own account and the items explicitly shared with you.

Sharing between users

Nothing is visible to other users unless you explicitly share it. Connecting with another user requires their consent (invite → accept), and sharing individual tasks, events, or metrics is per-item and per-person. Shared items remain stored in your account; the other person sees a live view that disappears the moment you revoke the share. When someone shares an item with you, you see their name on it; the same applies in reverse.

Service providers

We use a small number of providers to run the service:

• Cloudflare — hosting, storage, AI inference, email sending, bot protection, and aggregate analytics. All your data is stored on Cloudflare infrastructure; each account's timeline lives in its own isolated per-user database.
• Open-Meteo — weather forecasts. Receives only the coordinates of the place you set for weather, never your account identity.
• Photon (komoot) — place search in the map picker. Receives your search text and map position, proxied through our servers so your IP address is not exposed.
• Google — only if you connect Google Calendar, as described above.

Map tiles are served from our own infrastructure — no third-party map service sees what you look at.

Data retention and deletion

• Export — you can export your timeline data from the app at any time.
• Wipe timeline data — a self-service action on your Account page deletes all tasks, events, notes, measurements, and tags while keeping your account.
• Delete account — also on your Account page; permanently deletes your timeline data, chat history, and account records.
• Waiting list — your address is deleted when your invite is sent, or earlier via the removal link.

Your rights

Depending on where you live (for example under the GDPR or UK GDPR), you may have rights to access, correct, export, delete, or restrict the processing of your personal data, and to lodge a complaint with a supervisory authority. Most of these you can exercise directly in the app (export, edit, wipe, delete); for anything else, contact us at the address below and we'll respond within a month.

Cookies

We use one essential cookie: your session, so you stay signed in. Cloudflare Turnstile may set its own cookie as part of bot detection on public forms. There are no advertising or cross-site tracking cookies, so there's no cookie banner.

Security

All traffic is encrypted in transit (TLS). Passwords are hashed. Each user's timeline is stored in its own isolated database. API tokens you create for external integrations are scoped and revocable. Staff access to customer data goes through a single restricted administrative surface and is limited to what support and abuse handling require.

Children

whtvrwrks is not directed at children and is not intended for anyone under 16. We don't knowingly collect data from children; if you believe a child has created an account, contact us and we'll delete it.

Changes to this policy

If we make material changes we'll update this page and note the new date at the top; for significant changes affecting your rights we'll email you before they take effect.

Contact

Questions or requests: support@whtvrwrks.com.